[PATCH] Fix null pointer dereference(s) --

10 years ago by Joshua Rogers — view source — reply

unread

Multiple places 'spprintf' is called with a NULL 'pbuf', which
passes itself to vspprintf, which dereferences it.

Although most places check whether 'pbuf'(normally called 'error')
is null, it is smarter to check it inside the function that
requires a non-null value.

This will avoid future problems, too.

See bug #68839 [https://bugs.php.net/bug.php?id=68839] for an example of `NULL` being passed to spprintf.
There are multiple other places checks are not used to confirm error/pbuf is not null.

main/spprintf.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/main/spprintf.c b/main/spprintf.c
index cd14882..faa97d1 100644
--- a/main/spprintf.c
+++ b/main/spprintf.c
@@ -848,11 +848,16 @@ PHPAPI size_t vspprintf(char **pbuf, size_t max_len, const char *format, va_list

smart_string_0(&buf);

//Test 'pbuf'(also known as 'error') against NULL, since it is called multiple places without checking against, causing null pointer dereferences.
if (buf.c) {

```
  *pbuf = buf.c;
```

```
  if(pbuf) {
```
```
  	*pbuf = buf.c;
```
```
  }
  result = buf.len;
```
} else {

```
  *pbuf = NULL;
```

```
  if(pbuf) {
```
```
  	*pbuf = NULL;
```
```
  }
  result = 0;
```
}

--
1.9.1

10 years ago by Stanislav Malyshev — view source — reply

unread

Hi!

//Test 'pbuf'(also known as 'error') against NULL, since it is called multiple places without checking against, causing null pointer dereferences.

No C++ comments please.

if (buf.c) {

```
*pbuf = buf.c;
```

```
if(pbuf) {
```
```
	*pbuf = buf.c;
```
```
}
result = buf.len;
```

I think if pbuf is null, it should return 0 immediately. The code you
provided would result in a memory leak if pbuf is NULL, since the
pointer to buf.c would be lost as soon as vspprintf exits.

--
Stas Malyshev
smalyshev@gmail.com

10 years ago by Joshua Rogers — view source — reply

unread

No C++ comments please.
Fixed.(Will push afterwards)
if (buf.c) {
 *pbuf = buf.c;
 if(pbuf) {
 	*pbuf = buf.c;
 }
 result = buf.len;
I think if pbuf is null, it should return 0 immediately. The code you
provided would result in a memory leak if pbuf is NULL, since the
pointer to buf.c would be lost as soon as vspprintf exits.

So, at the start of the code, have if(!pbuf) { return 0; }?

i.e;

--snip--
PHPAPI size_t vspprintf(char **pbuf, size_t max_len, const char format,
va_list ap) / {{{ */
{
if(!pbuf) {
return 0;
}
smart_string buf = {0};
size_t result;

    xbuf_format_converter(&buf, 1, format, ap);

--snip--
?

Let me know.

Thanks,

-- Joshua Rogers <https://internot.info/

[PATCH] Fix null pointer dereference(s) --

See bug #68839 [https://bugs.php.net/bug.php?id=68839] for an example of NULL being passed to spprintf. There are multiple other places checks are not used to confirm error/pbuf is not null.

Thanks,

See bug #68839 [https://bugs.php.net/bug.php?id=68839] for an example of `NULL` being passed to spprintf.
There are multiple other places checks are not used to confirm error/pbuf is not null.